[OpenAFS-devel] More on aklog

Derrick J Brashear shadow@dementia.org
Mon, 11 Oct 2004 18:35:55 -0400 (EDT)

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8BIT

On Thu, 30 Sep 2004, [ISO-8859-1] Rainer Schöpf wrote:

> A principal with a "." in its name does not work at all with Kerberos5
> tokens. This is explicitly forbidden by this snippet of code from
> rxkad/ticket5.c:
>    /*
>     * If the first part of the name_string contains a dot, punt since
>     * then we can't see the diffrence between the kerberos 5
>     * principals foo.root and foo/root later in the fileserver.
>     */
>    if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)
> 	goto bad_ticket;
> I don't see why this should be a problem: name and instance are well
> separated in the fileserver code. If I use the old aklog together with
> krb524d, no such restriction exists.

Jeff Altman explained why in the RT ticket you opened; Basically, "because 
it can lead to 2 principals being treated as the same one".

Until the pts suite has been modified and we are using true krb5 
everywhere (or at least in the code path where such check happens) this 
will not be removed.

If you want an instance, create an instance. If you want a second 
principal, use some character other than . to separate the left part of 
the name from the right.